GDPR is one of the most prominent regulatory changes coming up in 2018. CIPR Inside committees members Janet Morgan, Helen Deverell and Jenni Field have created a guide for internal comms professionals in handling its implementation.
What is GDPR?
The General Data Protection Regulation is a piece of EU legislation that will supersede the Data Protection Act. It aims to keep people’s data safer and to give people more say on how their personal information is used.
Companies that breach the GDPR legislation will receive a fine of €20 million of 4% of annual turnover, whichever is higher.
It comes into effect on 25 May 2018.
How does it affect internal communication?
Businesses and other organisations will be required by law to prove their employees have received communication about the GDPR and that they understand what it means for them and the organisation they work for. So, internal communication practitioners have a vital role to play.
As a function, we also need to be aware of the information we hold on our employees and ensure that we are complying with the new legislation too.
Here are some key things to consider when preparing for the GDPR:
- Find out who is overseeing the GDPR programme/process in your organisation and ask to join the project team, if you’re not already part of it. It’s important internal communication help to guide the strategy from the outset as cutting through the noise and ensuring all employees are aware of the changes will be a legal requirement.
- Start communicating regularly with your employees now to help them understand what the legislation means and what they are required to do around recognising and protecting information. Remember to keep communication clear, simple and jargon free. It’s also important to know that the legislation is different for different industries. Your employees need to know about the legislation as it applies to you and be aware that their friends and relatives might hear different things.
- The GDPR may affect how you manage internal communication. Recording, storing or using employees’ contact information (which includes employees’ work or corporate email addresses and social media accounts) means you are processing their data. Consider conducting an audit of what information you currently hold and how you use it. Remember, this information might be stored locally in paper, GDPR is not only about digital records.
- Spend time now understanding the legislation and what it means for the whole organisation, not just your team. For example, risk registers will need reviewing, and processes and databases may need updating. Internal communication need to understand the impact those changes might have on employees and share appropriate, targeted communication about policy changes, training on the new legislation etc.
- Review your crisis response communication plan – does it include data loss, failures in data security or other issues resulting in people’s information being exposed? Ensure it reflects the increased reputational and financial risks associated with the GDPR. Also ensure the data you hold for your crisis response plan (such as mobile phone numbers) is now held in line with GDPR.
- Customers, suppliers or other external stakeholders could have questions about your organisation’s progress around the GDPR. Creating some short guidance and an overview of the actions you are taking can help employees who are responsible for stakeholder relationships.
- Consider unofficial channels your employees may be using such as WhatsApp or even personal email addresses. Now is the time to understand how they are being used and ensure employees understand how these channels are impacted by the GDPR and what their responsibility is to keep information secure.
We strongly recommend that internal communicators start preparing for GDPR now. CIPR have provided the following resources to support you:
The CIPR comprehensive guidance document
You can also find useful information on the ICO website.
Image courtesy of flickr user Descrier